From 534a67c5573e6c31ae5bb4fd8ebc97da19fa069e Mon Sep 17 00:00:00 2001
From: Selim Gurun <sgurun@google.com>
Date: Tue, 4 Sep 2012 16:45:53 -0700
Subject: DO NOT MERGE Control access to inherited methods of jsinterface
 objects

Bug: 7073422

Create the plumbing to use an annotation to allow access to
inherited methods of jsinterface objects. The default webview
behavior has not changed yet. However internally an a flag is
introduced to restrict javascript access to methods that have an annotation.

Clean cherry pick of 94740e6c333a109be7516abbd17dd418f23b4f0c

Provided @JavascriptInterface to methods that are accessible from
js.

Clean cherry pick of b743a23fc5bce9965c1539c3c8611614424a5aff

Add a glue logic to require use of annotations in injected accessibility
 objects.

Change-Id: I4135bd6787b2084177215302cd2c72afed090dc0
---
 core/java/android/webkit/BrowserFrame.java | 52 +++++++++++++++++++++++-------
 1 file changed, 40 insertions(+), 12 deletions(-)

(limited to 'core/java/android/webkit/BrowserFrame.java')
diff --git a/core/java/android/webkit/BrowserFrame.java b/core/java/android/webkit/BrowserFrame.java
index e52eb6e80cf0..9e454a7b1934 100644
--- a/core/java/android/webkit/BrowserFrame.java
+++ b/core/java/android/webkit/BrowserFrame.java
@@ -88,8 +88,19 @@ class BrowserFrame extends Handler {
     // Is this frame the main frame?
     private boolean mIsMainFrame;
 
+    // Javascript interface object
+    private class JSObject {
+        Object object;
+        boolean requireAnnotation;
+
+        public JSObject(Object object, boolean requireAnnotation) {
+            this.object = object;
+            this.requireAnnotation = requireAnnotation;
+        }
+    }
+
     // Attached Javascript interfaces
-    private Map<String, Object> mJavaScriptObjects;
+    private Map<String, JSObject> mJavaScriptObjects;
     private Set<Object> mRemovedJavaScriptObjects;
 
     // Key store handler when Chromium HTTP stack is used.
@@ -233,10 +244,8 @@ class BrowserFrame extends Handler {
         }
         sConfigCallback.addHandler(this);
 
-        mJavaScriptObjects = javascriptInterfaces;
-        if (mJavaScriptObjects == null) {
-            mJavaScriptObjects = new HashMap<String, Object>();
-        }
+        mJavaScriptObjects = new HashMap<String, JSObject>();
+        addJavaScriptObjects(javascriptInterfaces);
         mRemovedJavaScriptObjects = new HashSet<Object>();
 
         mSettings = settings;
@@ -590,15 +599,34 @@ class BrowserFrame extends Handler {
         Iterator<String> iter = mJavaScriptObjects.keySet().iterator();
         while (iter.hasNext())  {
             String interfaceName = iter.next();
-            Object object = mJavaScriptObjects.get(interfaceName);
-            if (object != null) {
+            JSObject jsobject = mJavaScriptObjects.get(interfaceName);
+            if (jsobject != null && jsobject.object != null) {
                 nativeAddJavascriptInterface(nativeFramePointer,
-                        mJavaScriptObjects.get(interfaceName), interfaceName);
+                        jsobject.object, interfaceName, jsobject.requireAnnotation);
             }
         }
         mRemovedJavaScriptObjects.clear();
     }
 
+    /*
+     * Add javascript objects to the internal list of objects. The default behavior
+     * is to allow access to inherited methods (no annotation needed). This is only
+     * used when js objects are passed through a constructor (via a hidden constructor).
+     *
+     */
+    private void addJavaScriptObjects(Map<String, Object> javascriptInterfaces) {
+
+        if (javascriptInterfaces == null) return;
+        Iterator<String> iter = javascriptInterfaces.keySet().iterator();
+        while (iter.hasNext())  {
+            String interfaceName = iter.next();
+            Object object = javascriptInterfaces.get(interfaceName);
+            if (object != null) {
+                mJavaScriptObjects.put(interfaceName, new JSObject(object, false));
+            }
+        }
+    }
+
     /**
      * This method is called by WebCore to check whether application
      * wants to hijack url loading
@@ -616,11 +644,11 @@ class BrowserFrame extends Handler {
         }
     }
 
-    public void addJavascriptInterface(Object obj, String interfaceName) {
+    public void addJavascriptInterface(Object obj, String interfaceName,
+            boolean requireAnnotation) {
         assert obj != null;
         removeJavascriptInterface(interfaceName);
-
-        mJavaScriptObjects.put(interfaceName, obj);
+        mJavaScriptObjects.put(interfaceName, new JSObject(obj, requireAnnotation));
     }
 
     public void removeJavascriptInterface(String interfaceName) {
@@ -1246,7 +1274,7 @@ class BrowserFrame extends Handler {
      * Add a javascript interface to the main frame.
      */
     private native void nativeAddJavascriptInterface(int nativeFramePointer,
-            Object obj, String interfaceName);
+            Object obj, String interfaceName, boolean requireAnnotation);
 
     public native void clearCache();
 
-- 
cgit v1.2.3

